add selinux labels for QAT

Signed-off-by: Manish Regmi <manish.regmi@intel.com>
2025-06-03 03:59:37 +00:00 · 2022-06-01 10:13:11 -07:00 · 2022-06-01 10:13:11 -07:00 · a888a91d2a
commit a888a91d2a
parent 97ac67f46f
3 changed files with 8 additions and 0 deletions
--- a/deployments/qat_plugin/base/intel-qat-plugin.yaml
+++ b/deployments/qat_plugin/base/intel-qat-plugin.yaml
@ -17,6 +17,8 @@ spec:
      - name: intel-qat-plugin
        image: intel/intel-qat-plugin:devel
        securityContext:
+          seLinuxOptions:
+            type: "container_device_plugin_t"
          readOnlyRootFilesystem: true
          allowPrivilegeEscalation: false
        imagePullPolicy: IfNotPresent
--- a/pkg/controllers/qat/controller.go
+++ b/pkg/controllers/qat/controller.go
@ -222,6 +222,9 @@ func setInitContainer(dsSpec *v1.PodSpec, dpSpec devicepluginv1.QatDevicePluginS
 				Value: strings.Join(enablingPfPciIDs, " "),
 			}},
 			SecurityContext: &v1.SecurityContext{
+				SELinuxOptions: &v1.SELinuxOptions{
+					Type: "container_device_plugin_init_t",
+				},
 				Privileged:             &yes,
 				ReadOnlyRootFilesystem: &yes,
 			},
--- a/pkg/controllers/qat/controller_test.go
+++ b/pkg/controllers/qat/controller_test.go
@ -72,6 +72,9 @@ func (c *controller) newDaemonSetExpected(rawObj client.Object) *apps.DaemonSet
 							Image:           devicePlugin.Spec.Image,
 							ImagePullPolicy: "IfNotPresent",
 							SecurityContext: &v1.SecurityContext{
+								SELinuxOptions: &v1.SELinuxOptions{
+									Type: "container_device_plugin_t",
+								},
 								ReadOnlyRootFilesystem:   &yes,
 								AllowPrivilegeEscalation: &no,
 							},